Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

Upgrading Domain Controllers to Windows Server 2012 R2

With the release of Windows Server 2012 R2 to MSDN which was recently announced HERE, it is time for me to upgrade my lab domain controllers to Windows Server 2012 R2.

I started by first “upgrading” my Hyper-V hosts to Windows Server 2012 R2. This would allow me to take full advantage of all the new benefits of 2012 R2 for Hyper-V. That was pretty simple, just shut down the OS, unplug all my additional storage in the machine which contains all my VM’s, and boot from my USB key that contained WS2012R2. Then, once I added the Hyper-V role back, I simply connect my storage back to the system, and import the previous VM’s I was running.

My next step in upgrading my VM’s is targeting the domain controllers. I have two DC’s, each running AD services, certificate services, DHCP, DNS, etc. Since I don’t want to risk messing up the complex configuration of each service, I choose to deploy two NEW VM’s for additional DC’s, and I will migrate these additional roles to the new DC’s later.

My first step is to deploy the two new VM’s. First decision I need to make is whether to use Gen1 or Gen2 VM’s:

Gen2 VM’s are a new feature of Hyper-V in Windows Server 2012 R2, and offer significant advantages over Gen1 VM’s, such as secure boot, discarding the emulated devices like IDE and using SCSI disks event for the boot volumes, PXE capability on a standard NIC, etc. Read more about Gen2 VM’s here: http://technet.microsoft.com/en-us/library/dn282285.aspx

Installing Windows Server 2012 R2 is just like any other OS install. When it stops on the Activation Key screen, I decided to leverage another new feature for Windows Server 2012 R2 – Automatic VM Activation. You can use these new keys to activate servers when they are running on Windows Server 2012 R2 Hyper-V. Read more about Automatic VM Activation here: http://technet.microsoft.com/en-us/library/dn303421.aspx

I rename the VM’s with the correct server names, and join them to my domain.

When the role is added – you will see a post-deployment task warning, to run the promotion:

The wizard will run AD forest prep, schema update, and domain prep for 2012 R2 when you promote the first DC on Windows Server 2012 R2.

When it is complete, you will see your new DC’s added to the domain controllers OU in Active Directory.

The next step in the process is to migrate the AD Operations Master roles. The simplest way to move these roles is via PowerShell. On Server 2012 AD PowerShell modules, this can be done from anywhere. Simply run the following command to view you current configuration, and change them:

When complete, you can run a “netdom query FSMO” again and ensure that your master roles have been moved successfully.

Then, you simply need to migrate any other roles or services running on the DC’s, then demote them when complete. To demote the domain controller on Server 2012, simply begin by removing the Active Directory Services role, which will prompt you to demote first with a task link. Once demoted, you can remove the server from the domain.

Oke, I have tried it, Had two!!! new 2012 R2 DC’s in my domain. after transfering all roles and demoting the last “old” 2012 DC my complete domain was gone !?!?!?!?!
Lukely I had an export (VM) of the last “old” DC so I was able to restore it
Somehowe replication between 2012 DC and 2012 R2 DC did not work.

Also I would suggest you research Kerberos 5 vs 4 – as the functional level change can cause problems for systems that rely on V4, which could break when you raise the functional level of the domain after you’ve brought in your 2012 R2 DC’s.

Those of you doing crypto know that Kerberos v4 used a Pseudo Random Generator (PRG) – provided by; GNU libc random() . The whole point of the PRG was to be unpredictable, it unpredictability makes it appear ‘random’.

Firstly, this doesn’t haven’t have perfect security as the key is not as long as the message. GNU libc random() can be broken with a XOR pretty easily, because the prefix of bits are predictable.

@Suresh –
We do not support moving SCOM servers from one domain to another, nor do we support having management servers in different domains in the same management group. If you are migrating from one domain to another, you’d need to deploy a new SCOM management group
in the new domain. If you just want to monitor machines in both domains you can use a single SCOM management group in either domain, then monitor the other domain using gateways.

Hello,
Previously i have a test environment which is a domain controller but i need to change that domain I mean i need to add my machine into some other machine but i have installed SCOM 2012sp1 on domaincontroller account(server.com) now i need to shift to someother
domain(servermachine.com) if change my domain how can i configure my scom to use another management server and existing management server.

Yes, since Windows Server 2012 adpreping is a transparent process. You don't have to do that manually as on the eralier operating systems. You are still allowed to do that manually but only on 64-bit architecture OSes because adprep is no more in 32-bit architecture (like adprep32 from Windows Server 2008 R2 media). So, when you have 32-bit DC with FSMO roles (Schema, Infrastructure) you need to rely on transparent adpreping during new DC promotion process.

You still need to have appropriate credentials when you are deploying your first new Windows Server 2012 R2 DC (Schema Admin and Domain Admin or Enterprise Admin)

If you try to install/update 2012 pdc to 2012 r2 it fails because it says
“Active Directory on this domain controller does not
contain Windows Server 2012 R2 ADPREP /FORESTPREP updates.
See http://go.microsoft.com/fwlink/?LinkId=113955.”

How does this article relate? And the issue is do we need to remove a dc to upgrade it? Cause it doesn’t want to install the AD from the 2012r2 media.

Not sure if this is the right forum.
I am in the process of creating a small network for the purposes of studying SQL.
I have installed Win 8 and Hyper V, created a bunch of 2012 VM’s and promoted one to a DC. The installation of directory services and promotion to a DC runs fine until the server reboots (as part of the process), the server then goes straight into automatic
repair mode. This also happens if I do this in VMware Workstation.

Already have two Enterprise Domain Controllers that are running 2012 and 18 site DC’s running 2012r2 (bare metal rebuilds). All that is left is to upgrade the 2012 servers to 2012r2. Can I do a simple in place o/s upgrade? I have already moved the FSMO roles. Not sure I want/need to do a full rebuild.